Apple fixes dozens of vulnerabilities in iOS and OS X

Apple has updated both iOS and OS X operating systems in a bid to patch security holes that could have left users open to remote code execution, application termination and encrypted traffic interception.

The update to OS X Yosemite plugs around 70 security holes affecting commonly used apps and features such as Mail, Bluetooth, QuickTime and Spotlight.

According to the Apple advisory, some vulnerabilities could “lead to execution of arbitrary code”. Other flaws could allow hackers to bypass security features, start DoS attacks as well as terminate applications and processes.

One such flaw could be used to modify the EFI firmware that helps in starting up a Mac, rather like BIOS did in the PC. The fix for the Mail app prevents the content of an HTML message being replaced with an arbitrary web page.

The update also mitigates the Rowhammer vulnerability, which could enable malware to compromise data stored in DRAM, gaining access to memory and taking over a system.

In a security advisory for its iOS 8.4 update, Apple said this would fix over 20 vulnerabilities, including the Logjam vulnerability. This encryption issue has been known about for months and could enable a hacker to insert themselves into a connection and intercept secure negotiations for an encrypted session. This would then force a server to try using an outdated encryption method that could be attacked. Apple fixed this by updating its CoreTLS component.

Other issues fixed include WebKit flaws that could lead to arbitrary code execution and a problem with how the framework handled some SQL functions.

“An insufficient comparison issue existed in SQLite authoriser which allowed invocation of arbitrary SQL functions. This issue was addressed with improved authorisation checks,” according to the advisory.

Another flaw could replace a legitimate app with a rogue one under some conditions. The so-called Manifest Masque Attack affected users trying to download an in-house iOS app wirelessly, using enterprise provisioning from a website.

“The demolished app (the attack target) can be either a regular app downloaded from the official App Store or even an important system app, such as Apple Watch, Apple Pay, App Store, Safari, Settings, etc. This vulnerability affects all iOS 7.x and iOS 8.x versions prior to iOS 8.4,” according to a blog posting from researchers at FireEye.

“We first notified Apple of this vulnerability in August 2014,” it added.

As per normal Apple security practices, the Cupertino-based company said it would not “disclose, discuss, or confirm security issues until a full investigation has occurred and any necessary patches or releases are available”.

OS X Yosemite v10.10.4 and Security Update 2015-005 (for OS X 10.8 Mountain Lion and OS X 10.9 Mavericks), both available from the Mac App Store. iOS 8.4 updates can be obtained by heading to the Settings app on the iPhone and iPad.

Security researchers said that while the potential was there for hackers to gain access to Macs and iOS devices, it may not be worth a hacker's while to do so.

“These bugs do enable a hacker to gain complete control but it's not an easy task to do,” Mark James, security specialist at IT Security Firm, ESET told SCMagazineUK.com. “Extraordinary techniques need to be used to enable them to do this and realistically the average user will not be attacked through this method.”

James said that Mac users have always looked at themselves as generally not suffering from malware purely because of the amount of Windows users vs Mac users. “But malware is a very real threat these days for any platform we are accessing the internet on, whether that's Mac, Windows or indeed a mobile environment,” he added.

That aside, James urged Mac users to update as soon as possible. “If something is insecure and there's a fix then that fix should be applied without fail. Either install it or remove it, if it can be exploited then you can be sure someone somewhere will be trying to utilise that method to infect you with malware,” he added.